A study commissioned by Cisco highlights that many corporate employees are unaware of IT security policies, while others ignore them in the name of productivity. The gap in understanding comes down to communication and properly aligning security with the needs of the business.

As actor Paul Newman's character said in "Cool Hand Luke":
"What we've got here is a failure to communicate."
The well-known quip is relevant to IT security in many enterprises.
According to a survey by InsightExpress, one of the key issues surrounding IT
is that many employees simply do not understand or know the security policies
their company has in place.

The survey was sponsored by Cisco Systems and gathered responses from more
than 2,000 employees and IT professionals in 10 countries. What was found was
disturbing, if not startling-when asked if their companies had a security
policy, there was a 20 to 30 percent gap between what IT professionals said and
what other employees said. The largest gaps-31 percent-were in companies in the
United States, Brazil
and Italy.

Taken at face value, what this means is that many employees are oblivious to
the security policies a company has in place. Most of the time security
policies were passed along to employees via e-mail; an easy way of
disseminating information perhaps, but not necessarily the most effective.
"When most employees get another announcement from IT about some policy
or what have you, the typical response is to hit delete," said Marie
Hattar, vice president of Network Systems and Security Solutions at Cisco.
"That kind of nonverbal mode of communication, if you are depending on
that, is not a very effective way of [informing employees]."
Though the survey did not cover whether employees who received messages
about security policies face-to-face were more aware of the policies, holding
office meetings gives employees a chance to ask questions and have a voice in
the policy-making process.

Beyond the communication factor, there is also a gap between IT's
perceptions of why policies are violated and employees' true motivations. When
employees were asked why they broke security policies, the most popular responses
in all 10 countries were either that the policies don't align with the
realities of their job, they need access to applications not included in the
policy, or both.
When IT pros were asked why employees violated policy, the most popular
answers were variations on the theme of apathy and a lack of awareness.
Here, the problem is most likely related to a lack of understanding on the
part of IT pros about how employees use technology to do their jobs. The end
result is "greynets."
"I think generally there is sort of this tremendous growth in
user-driven adoption of collaborative application, Web-enabled
technology," said David Goddard, vice president of Security Assurance at
Cisco. "There are many examples of that, from initial adoption of instant
messaging tools to wikis ... if IT is communicating a policy that isn't agile
enough to stay current, or at least be able to communicate the risk associated
with those technologies if they're not IT supported or approved, the users will
say, 'Look you're constraining my ability to drive towards productivity.'"
Addressing this issue means the authors of security
policy need to understand the realities of the business, and look at security
as an enabler of business processes rather than a digital stop sign.